1. Field of the Invention
The present invention relates to security policies. More specifically, the present invention relates to a method and system for optimizing row level security in database systems.
2. Related Art
Many database systems use Access Control Lists (ACLs) to describe security policies for the database systems. Each ACL may further include a list of Access Control Entries (ACEs) that specify a set of access privileges granted or denied to a particular entity, such as a user or role. ACLs are typically stored as XML documents, and provide a declarative way to define security policies. In many instances, these ACLs are also stored in the database system.
In addition, row level security may be implemented by the database system. In particular, row level security may be provided by associating each ACL with a predicate that determines the application of the ACL to a database row and/or other object in the database. Conventionally, the predicates and ACLs are often evaluated for each database row returned in response to a database query to determine access privileges to the individual database rows. As a result, query time for a database table in the database system may increase linearly with the number of rows in the database table using existing database row level security implementations. The increase in query time may further result in a negative performance impact on the database system.
Hence, row level security in database systems may be improved through mechanisms that optimize the evaluation of ACLs and/or predicates for database rows.